Password handling: challenges, costs, and current behavior (now with infographic)

Online passwords are a pain, and not just when you have to type them to access your online bank account or shop at your favorite digital emporium. Password pain extends to the people who have to manage them. A few weeks ago we shared some initial findings from a recent poll of 2,129 U.S. adults (aged 18 and over) conducted for ESET by Harris Interactive. Now that we've had more time to drill down into the data we will explore the state of passwords and online authentication in more detail, starting with an infographic full of interesting password-related statistics:

Consider how people react to a request to change their online password. Here’s how people answered when we asked: If a social media site or online company with whom you have an account requests that you change your password, which of the following would you most likely do?

Always change my password: 31%

Sometimes change my password: 19%

Ignore the request: 18%

Contact company to see if request is genuine: 32%

In other words, a company asking its online account users to change their password can only count on 3 out of 10 them making the change. Half of the requests will either be ignored or, in a reflection of the sad state of online trust, generate some sort of customer service contact seeking verification of the request.

This finding provides a fresh way of looking at the cost of distrust. If a security breach creates a need to request 3 million users to reset their online passwords, you could be looking at 1 million unbudgeted customer service contacts. If you can keep average cost per contact as low as $1 that is still a $1 million bill.

Password change is coming, slowly

Switching to a user perspective on passwords, I think many of us share the feeling that password changing is burdensome. That burden can mean passwords are not changed as often as they should be to properly protect accounts.

Nevertheless, our survey revealed that some people are making an effort. We asked "How frequently do you change the password for the online account you use most often?" Here's a breakdown of the responses:

About once a year: 45%

About once every 6 months: 31%

At least once a month: 8%

Never: 16%

Of course, when you map those frequencies against the current levels of online attack they might not seem adequate, but frankly they are better than I expected (I would like to research the extent to which some of these changes were due to the online account itself forcing a change, as opposed to the self-motivated diligence of the respondents).

Password Patterns

The need to create and manage more and more passwords is one of the distinct downsides to living your life online. When it comes to password creation we all have our own strategies but in the survey we tried to get a sense of the elements people were using. We asked: "Which of the following do you use when creating a password for an online account?"

Something unique and random: 39%

Familiar name (e.g. of person, pet, or place): 21%

Name of a location: 6%

Sports team: 5%

Something else: 37%

Decline to answer: 19%

Again, I think these numbers are somewhat encouraging. The use of a familiar name is too high, but the number of people who were using something random, unique, or outside of the other categories was better than I expected. I also liked that almost 1 in 5 people declined to answer. The responses were pretty much the same across different demographic groups but, perhaps not surprisngly, men were more likely than women to use a sports team (7% to 4%). Women more likely to use a familiar name than men (24% to 16%).

Strategies for password management

When we published our first findings, we indicated that "safe" behavior (choosing complex passwords and using different passwords and PINs for different accounts), was more prevalent in older people.

For example, if you combine the responses to our three survey questions in this area you can see how they stack up in the chart on the left. The 55+ group scored "safer" than the group as a whole, with the 18-34 group lagging behind.

However, one commentator questioned the idea that younger people were less diligent with passwords, possibly because they were comfortable using technology to manage passwords.So here's what we found when we asked: How do you store and help yourself remember your online password(s)?

Memorize them all: 41%

Write them on a peice of paper: 29%

Store them in a file on my computer: 9%

Store them in email: 4%

Other: 11%

Decline to answer: 12%

The responses were pretty much the same across all demographics, although men were more likely than women to store passwords in a computer file (12% to 6%). However, women were more likely to write down their passwords on a peice of paper than men (31% to 26%).

But what about the use of password manager apps or web browsers to store online passwords. We found that just under 1 in 10 people are taking this approach.

Demographically speaking, the use of both of these strategies–password managers and browser storage–was more common in men than women (12% to 7%); at the same time, it was less common in people earning higher incomes. This may reflect the fact that higher earners tend to be older, because we did find that younger people are twice as likely to use technology to aid their password management as older people.

These findings suggest we should look more closely as technology for managing passwords. How helpful is it? How secure is it? Reply with a comment if you would like to share your experience with password managers. Do you use one? Do you like it? Let us know,

Abbreviated Methodology: This survey was conducted online within the United States by Harris Interactive on behalf of ESET. from August 27-29, 2012 among 2,129 adults age 18+. This online survey is not based on a probability sample and therefore no estimate of theoretical sampling error can be calculated. For complete survey methodology, including weighting variables, please contact stephen dot cobb at eset dot com.

The results are suspect, in my opinion. Many people have received enough security "training" to know the "right" answers to these questions, and I suspect they tend to bias the answers.
Over the years I have had a steady stream of people confide in me that they are violating this password rule or that, perhaps seeking absolution. The fact is that most of these password rules aren't useful any more: the threats have changed. We now have keystroke loggers, phishing sites, powerful dictionary attacks, and massive data spills from authentication systems. The rules taken from 1980s timesharing passwords are only slightly relevant today, though still a pain in the neck.
ches

David Harley

Bill, I have to agree. Good passwords are the ‘right’ answer to the wrong question. :(

Stephen Cobb

Bill — Your points are well taken. I would love an opportunity to test answers against practice. For example, do the people who say they use complex passwords really use them.
Your point about bias toward "right" answers may explain the higher percentage of older people giving the right answer more often.
However, we have done two different surveys this year in which only 32% of people reported having had any kind of security training, ever. For my money, that's a big part of the problem, right there.
Stephen

Curt Coker

I find it completely implausible that anyone memorizes all their online passwords, unless (uh-oh) they are all the same! Most people who are active online should need dozens of passwords. IMHO, we desperately need a secure way of using biometrics instead of passwords.

Janina

I have to admit, my main reason for not using password management applications is that I have no idea which ones may be trustworthy. I have a small number of passwords that I use across a variety of sites. I use the same low-security password (dictionary word plus a two-digit number) for virtually all low-security sites. Those are sites that require registration but do not have anything but publicly available information about me. I have 4-5 higher security passwords that I use for more important websites. I rarely change them, except for my work account. The real trouble comes in remembering my user names. For sites I care about, I write myself emails detailing the website name, the user name, and a cryptic note to myself about which password I used.